US telecommunications giant Comcast has warned that cybercriminals have stolen the personal data of more than 230,000 customers in a ransomware attack on a third-party provider of debt collection services.
The breach is related to a February cyberattack on Financial Business and Consumer Solutions (FBCS), a Pennsylvania-based debt collection agency used by Comcast.
In a filing Friday with the Maine attorney general, Comcast said FBCS initially told the company in March that the security incident did not involve Comcast customer data. In late July, FBCS notified Comcast that customer data had indeed been compromised.
Comcast said 237,703 subscribers were affected by the data breach, and hackers gained access to their names, addresses, Social Security numbers, dates of birth, and Comcast account and ID numbers.
Comcast said the stolen data belonged to people who were registered as customers “circa 2021,” adding that the company stopped using FBCS for debt collection in 2020.
FBCS has not yet disclosed the nature of the security incident, but Comcast's filing confirms that it was a ransomware attack.
“Between February 14 and February 26, 2024, an unauthorized person gained access to the FBCS computer network and some of its computers,” the filing states. “During this time, an unauthorized party downloaded data from FBCS systems and encrypted some systems as part of a ransomware attack.”
There have been no complaints from major ransomware groups yet, and FCEB previously blamed the attack on “unauthorized actors.”
FCEB did not respond to TechCrunch's questions.
In a filing with the Maine Attorney General earlier this year, FBCS acknowledged that the personal information of more than 4 million people was accessed during the February cyberattack. It's unclear how many of FBCS's customers were affected, but FBCS said in its data breach notification that in some cases, the attackers accessed medical billing and health insurance information.
CF Medical, a medical debt acquisition company known as Capio, has acknowledged that it is one of the organizations whose customers' health information was stolen as a result of the FBCS breach. In September, CF Medical announced that the personal and health information of more than 620,000 people had been stolen.
Trust Bank, one of the largest banks in the United States, also acknowledged that it was affected by the incident, in a recent filing with the California Attorney General. It's still unclear how many of Trust Bank's 10 million customers were affected, but the banking giant warned that the attackers had access to names, addresses, account numbers, dates of birth, and social security numbers.